Author: admin

We have identified an ongoing spear-phishing campaign targeting a variety of entities with malicious RTF documents exploiting three different vulnerabilities: CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 and taking advantage of a misplaced trust binary, Microsoft’s msxsl, to run a JScript backdoor. The whole attack chain leverages on system’s signed components to remain under the radar as much as possible and it shares many similarities with previous campaigns from the Cobalt Group.Continue reading “Spear-phishing campaign leveraging on MSXSL”→

GDPR or General Data Protection Regulation is a regulation aimed at strengthening and unifying data protection for all European citizens. The GPDR applies to every company, whether in the EU or outside, that processes data of EU citizens, thus impacting companies worldwide, even if they don’t operate directly in the European Union.Continue reading “General Data Protection Regulation”→

MuddyWater is a threat actor that caught our attention for their extensive use of “Living off the Land” attacks in a targeted campaign aimed at the Middle East. During our investigation we reconstruct the evolution of the vectors used and how the group operates to target their victims, evade detections and move laterally inside the compromised infrastructures.Continue reading “A dive into MuddyWater APT targeting Middle-East”→

We have noticed a change of behaviour in the latest spam email campaigns used by Locky. Since its first release Locky took advantage of compromised domains to download the dropper binary, while recently Locky dropper is being delivered embedded into the loader code itself. By tracking these campaigns we have also noticed that Locky’s authors have made several attempts at embedding the dropper into the loader.

Dridex is currently one of the most active and widespread banking malwares. Like Locky ransomware also Dridex is dispatched through a massive spam mail campaign that uses the Necurs botnet. Our sensors have long been tracking these spam campaigns and recent captured emails contain a Word document that drops Dridex. In our latest samples we have observed a delay on execution of the downloader stage that wasn’t present before, we have further investigated to figure out whether Dridex’s authors were experimenting with new, even if basic, anti-sandbox techniques.

On 13th of June, while monitoring Twitter, we have observed an interesting tweet that reported a suspicious domain with an open directory listing. Among the listed files we found a zip archive containing a javascript. In this blogpost we will take a closer look at the javascript and we will show that it has ransomware capabilities, which we have dubbed RAA ransomware and that additionally delivers a dropping stage for the Pony malware.

We have already written about Nemucod downloader when it was paired with 7-Zip, this time we have spotted a new variant in the wild that appears to be a further evolution from previous versions. Before we dig into the analysis part, let’s take a quick look at the most recent history of Nemucod:Continue reading “Nemucod meets a new buddy: PHP”→

ReaQta has been monitoring a new and massive worldwide Locky ransomware spam campaign. The attacks are carried out in the usual way: a javascript file attached to an email message delivered to the victims, although this is the first campaign we have tracked that shows a different deployment behaviour. The javascript downloader usually retrieves Locky’s dropper from a compromised website, while in this case the downloaded file is encoded making it harder for traditional protection solutions to spot the incoming threat.